Feb. 12, 2014

Written by

Free Press Staff Writer

The incidents

• Dec. 22: A individual received two invoices in the mail, one belonging to another customer. A Health Connect worker inadvertently put two people’s invoices in one envelop. • Jan. 3: An insurance broker reported seeing an account for an individual with the same name as the broker’s client. Before realizing the mistake, the broker mailed a copy of the invoice to the client. A Health Connect worker entered information from a paper application into an account, not realizing the people were different despite having the same name. • Jan. 8, 11 and 24: Four instances in which customers logged into their accounts and found scanned checks from other people with similar names. The payment processor mistakenly put the checks in incorrect accounts. • Jan. 13: A customer’s Green Mountain card, the insurance card for Medicaid, was mailed to her former address. The error was attributed to a problem with “data reconciliation” between the state’s benefit eligibility system and the Vermont Health Connect data system.

Each of the breaches was small-scale. Errors by Health Connect staff resulted in invoices being sent to incorrect individuals in two instances, in scanned checks being posted to incorrect accounts and in a health insurance card being mailed to the wrong address.

The incidents took place between Dec. 16 and Jan. 24, and are in addition to two similar breaches reported in the fall.

“Anytime anyone gets to see another person’s information, it is very serious,” House Health Care Committee Chairman Michael Fisher, D-Lincoln, said Wednesday. He added, “It sounds to me that the administration is looking seriously at it.”

Fisher expected his committee would have questions for Mark Larson, commissioner of the Department of Vermont Health Access, when he delivers his weekly update to the panel on Friday.

“We need to shed some light on it and take testimony on it,” Fisher said.

Lawmakers learned of the breaches from a memorandum that Larson sent Tuesday to the heads of two Senate and three House committees. Larson noted that each breach had been reported to the Centers for Medicare and Medicaid Service, since Vermont Health Connect is a federally mandated health insurance marketplace.

All parties affected by the breaches had also been contacted, Larson said.

Larson came under fire in the fall because he failed to provide information about the first privacy breach when he was asked about security by a member of the House Health Care Committee.

He was quick to report the second incident, which occurred in early December. This week’s memo is the first account of any subsequent incidents.

Larson assured lawmakers in his memo that "Based on our analysis, these incidents did not include any breach of security or reveal any technology issues that require mitigation.”

Rep. Doug Gage, R-Rutland, sits on the House Health Care Committee, acknowledged, “There isn’t any site secure 100 percent of the time but this site certainly has its troubles.”

Gage noted that the administration has rejected suggestions that the state find a new technology contractor for Vermont Health Connect. Gage is frustrated. “Somebody needs to get it right.”